Author: hello@alienvault.com

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Cybersecurity is practice of protecting information technology (IT) infrastructure assets such as computers, networks, mobile devices, servers, hardware, software, and data (personal & financial) against attacks, breaches and unauthorised access. Due to bloom of technology, most of all businesses rely on IT services, making cybersecurity a critical part of IT infrastructure in any business.

The role of cybersecurity in financial institutions is very vital as the number and severity of cyber threats continues to rise by each day. With the widespread use of technology and the increasing amount of data being stored and shared electronically, financial institutions must ensure that they have robust cybersecurity measures in place to protect against evolving threats.

Financial institutions face a range of cybersecurity threats, including phishing attacks, malware, ransomware, and denial of service (DDoS) attacks. These threats can result in the theft of sensitive customer data (PII), financial fraud, and reputational damage. Sometimes theft of PII can lead to identity theft too.

Cybersecurity measures are designed to protect the confidentiality, integrity, and availability of data and systems. Confidentiality refers to protection of sensitive information from unauthorised disclosure using measures like encryption, access control etc., to protect sensitive data. Integrity refers to accuracy and completeness of data to ensure data is not manipulated or corrupted using cybersecurity measures like data backups, system monitoring. Availability refers to the ability of authorised users to access the systems and data when needed under any circumstances using measures like disaster recovery plans.

Before we go further and discuss about various threats faced by financial institutions, let’s look at the regulatory requirements and industry standards in financial institutions.

There are mainly two standards which financial institutions must comply with:

PCI-DSS: Payment Card Industry Data Security Standard is a set of security and compliance requirements designed to protect the cardholder data which defines how the financial data (card data) will be processed, stored and transmitted in a safe manner. This standard requires use of encryption, masking, hashing and other secure mechanisms to safeguard the customer data. PCI-DSS is widely accepted globally.

GLBA: Gramm-Leach-Bliley Act, also known as Financial Modernisation Act of 1999 is a federal law in the United states which requires financial institutions to explain their information sharing practices to their customers and to safeguard sensitive data.

Apart from PCI-DSS, GLBA some countries have their own privacy laws which also requires compliance from financial institutions to operate. Non-adherence to regulatory compliance can sometimes attract penalties to financial institutions.

Top Cybersecurity threats faced by banks are:

• Malware- Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. It is very important to secure customer devices such as computers and mobile devices that are used for digital transactions. Malware on these devices can pose a significant risk to a bank’s cybersecurity when they connect to the network. Confidential data passes through the network and if the user’s device has malware without proper security, it can create a serious danger to the bank’s network.

• Phishing- Phishing means to get confidential, classified data such as credit, debit card details etc. for malicious actions by hiding as a reliable person in electronic interaction. Online banking phishing scams have advanced constantly. They seem real and genuine, but they trick you into providing away your access data.

• Spoofing- Spoofing can be used to gain access to a target’s PII (Personally Identifiable Information), spread malware through infected links or attachments, bypass network access controls, or redistribute traffic to conduct a denial-of-service attack. Spoofing is often the way a bad actor gains access in order to execute a larger cyber-attack such as an advanced persistent threat or a man-in-the-middle attack.

• Unencrypted data- unencrypted data is a significant threat to financial institutions, as hackers can use it immediately if they seize it. Therefore, all data should be encrypted, even if stolen by potential thieves, they would face the challenge of decrypting it.

• Cloud-based cybersecurity theft- There is an increased risk of cloud-based attacks as more software systems and data are stored in the cloud. Attackers have taken advantage of this, leading to a rise in cloud-based attacks.

• Insider theft- An insider threat refers to when someone with authorized access to an organization’s information or systems misuses that access to harm the organization. This can be intentional or unintentional and can come from employees, third-party vendors, contractors, or partners. Insider threats can include data theft, corporate espionage, or data destruction. People are the root cause of insider threats, and it’s important to recognize that anyone with access to proprietary data can pose a threat. 25% of security incidents involve insiders. Many security tools only analyse computer, network, or system data, but it’s crucial to consider the human element in preventing insider threats.

Financial institutions can take several steps to improve their cybersecurity posture and protect against evolving threats. Some best practices for cybersecurity in financial institutions include:

• Regular risk assessments: Financial institutions should conduct regular risk assessments to identify potential vulnerabilities in their systems and networks. Risk assessments should include both technical and non-technical factors such as employee training and physical security.
• Implementing strong access controls: Financial institutions should implement strong access controls to protect against unauthorized access to systems and data. Access controls should include strong passwords, multi-factor authentication, and role-based access controls.
• Awareness programs: Financial institutions should educate employees on cybersecurity best practices and provide regular training to help them recognize and respond to potential threats. Employees should be trained on topics such as phishing, malware, and password security. They can also simulate phishing campaigns to make employees aware.
• Encrypting sensitive data: Financial institutions should encrypt sensitive data such as customer information and financial transactions to protect against unauthorized disclosure.

Financial institutions must manage third-party risks by conducting due diligence on third-party vendors and ensuring that they have robust cybersecurity measures in place. This includes regular monitoring and auditing of third-party vendors to ensure that they are complying with cybersecurity standards and regulations.

Cybersecurity is a critical issue for financial institutions, given the sensitive information and valuable assets they handle. Financial institutions must prioritize cybersecurity measures to protect themselves and their customers from cyber-attacks. The evolving cyber threat landscape and the challenges financial institutions face in implementing effective cybersecurity measures make it crucial for them to stay up-to-date with evolving threats, invest more resources in cybersecurity, prioritize employee training and education, and manage third-party risks.

The post The role of cybersecurity in financial institutions -protecting against evolving threats appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Artificial intelligence is the hottest topic in tech today. AI algorithms are capable of breaking down massive amounts of data in the blink of an eye and have the potential to help us all lead healthier, happier lives.

The power of machine learning means that AI-integrated telehealth services are on the rise, too. Almost every progressive provider today uses some amount of AI to track patients’ health data, schedule appointments, or automatically order medicine.

However, AI-integrated telehealth may pose a cybersecurity risk. New technology is vulnerable to malicious actors and complex AI systems are largely reliant on a web of interconnected Internet of Things (IoT) devices.

Before adopting AI, providers and patients must understand the unique opportunities and challenges that come with automation and algorithms.

Improving the healthcare consumer journey

Effective telehealth care is all about connecting patients with the right provider at the right time. Folks who need treatment can’t be delayed by bureaucratic practices or burdensome red tape. AI can improve the patient journey by automating monotonous tasks and improving the efficiency of customer identity and access management (CIAM) software.

CIAM software that uses AI can utilize digital identity solutions to automate the registration and patient service process. This is important, as most patients say that they’d rather resolve their own questions and queries on their own before speaking to a service agent. Self-service features even allow patients to share important third-party data with telehealth systems via IoT tech like smartwatches.

AI-integrated CIAM software is interoperable, too. This means that patients and providers can connect to the CIAM using omnichannel pathways. As a result, users can use data from multiple systems within the same telehealth digital ecosystem. However, this omnichannel approach to the healthcare consumer journey still needs to be HIPAA compliant and protect patient privacy.

Medicine and diagnoses

Misdiagnoses are more common than most people realize. In the US, 12 million people are misdiagnosed every year. Diagnoses may be even more tricky via telehealth, as doctors can’t read patients’ body language or physically inspect their symptoms.

AI can improve the accuracy of diagnoses by leveraging machine learning algorithms during the decision-making process. These programs can be taught how to distinguish between different types of diseases and may point doctors in the right direction. Preliminary findings suggest that this can improve the accuracy of medical diagnoses to 99.5%.

Automated programs can help patients maintain their medicine and re-order repeat prescriptions. This is particularly important for rural patients who are unable to visit the doctor’s office and may have limited time to call in. As a result, telehealth portals that use AI to automate the process help providers close the rural-urban divide.

Ethical considerations

AI has clear benefits in telehealth. However, machine learning programs and automated platforms do put patient data at increased risk of exposure. Additionally, some patients are trying to replace human doctors and therapists altogether with programs like ChatGPT and AI screening apps.

Patients who utilize telehealth apps in lieu of providers must understand the ethical implications of AI healthcare. AI is naturally limited by the data it has been trained on and does not have the same checks and balances as human therapists. Instead of replacing real-life therapy, AI-powered apps should play a back-seat role in providing better, more relevant support.

It’s worth noting that some patients need human interaction. AI may be more efficient, but many patients want to be seen by a real doctor with the ability to empathize with their condition. The human need for connection can even help some patients turn the corner and work towards a healthier, happier life.

AI and Cybersecurity

Cybersecurity is an ever-present concern for healthcare providers across the globe. Patient data is extremely sensitive and cannot be put at risk by faulty algorithms or low-security software. Telehealth apps must be among the most secure platforms to build patient trust and maintain confidentiality.

Unfortunately, the increased adoption of AI means that the risk involved in telehealth is growing. Malicious actors use AI themselves to trawl massive amounts of data and spot security flaws. Telehealth providers must combat scammers and identity fraud by “baking in” security at every step.

Providers can reduce cybersecurity risks by requiring two-step authentication during log-in and timing inactive patients out when they are idle. These simple steps decrease the risk of malicious actors gaining access to patient data.

Additionally, telehealth providers need to regularly maintain and update points of connection. IoT devices are notorious for being weak points in the wider digital ecosystem and may give malicious actors the entry point they need to enter confidential patient portals. Providers can reduce the risk of hacking by testing their IoT network regularly and responding rapidly to potential weak points.

Conclusion

AI will improve the accuracy of medical diagnoses and help close the rural-urban healthcare divide. However, AI-integrated telehealth services may put some user data at risk. Providers can firm up their patient portals and CIAM software by utilizing common-sense procedures like two-factor authentication and hiring a team of cybersecurity specialists to reduce the risk of an attack.

The post The intersection of telehealth, AI, and Cybersecurity appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The spread of the remote workforce and the growth of digital transformation has exponentiated the number of login-based attack vectors. While multi-factor authentication (MFA) generally protects against common methods of gaining unauthorized account access, not all multi-factor authentication methods can defend against sophisticated attacks. To achieve full zero-trust access, MFA is being replaced by phishing-resistant MFA and the standards that define it.

To give you a complete picture, I have identified key terminology and concepts surrounding phishing-resistant authentication and put them together in this handy glossary. To fully appreciate phishing-resistant MFA, it helps to know the vocabulary.

Account takeover

Achieving Account Takeover (ATO) means successfully compromising a target account with the intent of committing fraud. The account is fully compromised when the attacker can successfully operate as the user with all the pursuant permissions and access privileges. ATO is often initiated by credential theft and can be done using social engineering techniques (phishing attacks) or by bombarding login pages with bot-based attempts.

Phishing attacks

Phishing attacks attempt to steal personal data such as login credentials, credit card information, or even money using social engineering techniques. This type of attack is usually launched through e-mail messages, appearing to be sent from a reputable source, with the intention of persuading the user to open a malicious attachment or follow a fraudulent URL. The most targeted types of services are SaaS and webmail platforms, as well as payment services. Phishing attacks create many cascading effects, impacting businesses and individuals in many ways.

Man-in-the-Middle (MiTM) attacks

NIST defines a Man-in-the-Middle (MiTM) as “an attack in which an attacker is positioned between two communicating parties to intercept and/or alter data traveling between them.” In an authentication context, this would mean “the attacker would be positioned between claimant and verifier, between registrant and Credential Service Provider during enrollment, or between subscriber and Credential Service Provider during authenticator binding.”

Authentication

NIST defines “digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.”

For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same subject that accessed the service previously. Authentication establishes confidence that the claimant has possession of one or more authenticators bound to the credential. It does not determine the claimant’s authorizations or access privileges – for example, what they are allowed to do once they have successfully accessed a digital service.

2FA

Two-factor authentication, or 2FA, is an authentication method requiring the combination of two different types of factors to access protected resources. The three types of authentication factors are something you know, something you have, and something you are.

2FA improves the Single-Factor Authentication (SFA) login process. It does this by requiring not only a set of credentials based on what you know, such as a password (which is susceptible to phishing), but a second credential type based on what you possess, like your phone, token, or smart card, or what you are, including biometrics such as a fingerprint.

MFA

Multi-factor authentication, or MFA, requires two or more authentication factors before allowing access to gated systems. MFA can be achieved using a combination of the three types of authentication factors (something you know, something you have, and something you are). Because multi-factor authentication security requires multiple means of identification at login, it is widely recognized as the most secure method for authenticating access to data and applications.

Biometrics

Biometrics are physical or behavioral human characteristics used as a factor of authentication (something you are).  Usual biometrics are fingerprint, facial recognition, or voice recognition. Using biometrics is another way to unlock the users’ private keys, thereby completing the FIDO2 or PKI authentication process. Safer than a password, the biometry of the user does not leave the device for security purposes and enables secure login without the use of passwords.

Phishing-resistant MFA 

Phishing-resistant MFA is multi-factor authentication protected from attempts to compromise the authentication process through phishing attacks. Several elements are required to qualify an authentication method as phishing-resistant, including a strong, trusted relationship through cryptographic registration, eliminating shared secrets, and responding only to valid requests from known and trusted parties. “Phishing-resistant MFA is nothing more than the same authentication process, but people are removed from the equation,” says the SANS Institute.

Phishing-resistant MFA methods include Fast IDentity Online (FIDO), certificate-based authentication (CBA), Personal Identity Verification (PIV), and artifacts governed by Public Key Infrastructure (PKI).

SMS OTP

Security experts consider SMS authentication vulnerable to SIM swapping attacks and interception over public networks. When an authentication code is sent via SMS to a mobile device, we must be confident that the message reaches the intended recipient. However, research has demonstrated the increasing success of redirecting or intercepting SMS messages without cost or time.

Push notification OTP

Push notification authentication validates login attempts by sending one-time passcodes to an associated mobile device. Although not phishing-resistant, NIST and other security agencies consider Push Notification OTP to offer higher security than SMS OTP. However, certain weaknesses include being vulnerable to MFA bombing attacks (also called MFA fatigue). The vulnerability can be reduced with number matching. “Number matching is a setting that forces the user to enter numbers from the identity platform into their app to approve the authentication request,” explains CISA (Cybersecurity & Infrastructure Security Agency). The agency recommends using number matching to mitigate MFA fatigue of push notification OTP.

FIDO2

The Fast Identity Online (FIDO) alliance was created to offer a secure way for consumers to authenticate to online services. FIDO Authentication is a global authentication standard based on public key cryptography. With FIDO Authentication, users sign in with phishing-resistant credentials called passkeys. Passkeys can be synced across devices or bound to a platform or security key, enabling password-only logins to be replaced with secure and fast login experiences across websites and apps.

Passkeys are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. The FIDO2 protocol is passwordless and uses standard public key cryptography techniques for stronger authentication.

FIDO security keys or FIDO authenticator

A FIDO security key embeds one or more private keys, each dedicated to one online account. The FIDO protocol requires a “user gesture”: the user needs to unlock the FIDO authenticator using their fingerprint, pressing a button on a second–factor device, entering a PIN or other method – before the private key can be used to sign a response to an authentication challenge.

FIDO passkeys

A FIDO passkey is a digital credential connected to a user account and an application or website. It looks like a digital pop-up on a user’s device and can be immediately accepted by the user. Passkeys can be synced across devices or bound to a platform or FIDO security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.

PKI

Public Key Infrastructure (PKI) is the umbrella term for all assets that establish and manage public key encryption, or “a foundational infrastructure component used to securely exchange information using digital certificates,” as Gartner states. Put another way, PKI is the collection of policies, processes, and technologies that allow you to sign and encrypt data, and it underpins the basis of all trustworthy online communication.

PIV

In layman’s terms, a Personal Identity Verification (PIV) is a physical artifact, e.g., an identity card or smart card containing identity credentials (such as biometrics or cryptographic keys) for a double combination of two secure authentication assets “so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer-readable and verifiable).”

CBA

Certificate-based authentication (CBA) allows users to authenticate with a client certificate instead of passwords. Trust is given by the party issuing the certificate – typically a Certificate Authority (CA) when maximum security is desired. Self-signed certificates are also in use but do not provide the same level of validation as a trusted CA. CBA can be used in concert with other methods to create a form of phishing-resistant MFA.

US Executive Order 14028

In 2021, to help protect the United States from increasing cyber threats, the White House issued an Executive Order (EO 14028) to improve security in the Federal Government. By 2024, Federal agencies must enforce MFA to access federal systems using phishing-resistant authentication methods such as Certificate Based Authentication (CBA), Personal Identity Verification (PIV) cards or derived PIV, and FIDO2 authentication.

ENISA guidelines for strong authentication

ENISA recommends the use of phishing-resistant authentication for its superior security. However, ENISA qualified this recommendation by advising that more secure authentication should be used “where possible.” Today, the most widely available phishing-resistant methods are FIDO2 security keys or physical PKI smart cards. Practical considerations in relation to hardware management and provisioning, as well as operational constraints, may limit organizations’ ability to deploy them for all use cases.

CISA guidance on Phishing –Resistant MFA

CISA, America’s cyber defense agency, has released two fact sheets highlighting threats against accounts and systems using certain forms of multi-factor authentication (MFA). CISA strongly urges all organizations to implement phishing-resistant MFA to protect against phishing and other known cyber threats. CISA recommends that users and organizations see CISA fact sheets Implementing Phishing-Resistant MFA and Implementing Number Matching in MFA Applications. 

To learn more about phishing-resistant authentication:

View the webinar “Conquer Phishing Attacks with Certificate-Based and FIDO Authentication” from Thales and Microsoft.

Source:  CISA, ENISA, and NIST Glossaries

The post Phishing-resistant MFA 101: What you need to know appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

As a natural language processing model, ChatGPT – and other similar machine learning-based language models – is trained on huge amounts of textual data. Processing all this data, ChatGPT can produce written responses that sound like they come from a real human being.

ChatGPT learns from the data it ingests. If this information includes your sensitive business data, then sharing it with ChatGPT could potentially be risky and lead to cybersecurity concerns.

For example, what if you feed ChatGPT pre-earnings company financial information, company proprietary software codeor materials used for internal presentations without realizing that practically anybody could obtain that sensitive information just by asking ChatGPT about it? If you use your smartphone to engage with ChatGPT, then a smartphone security breach could be all it takes to access your ChatGPT query history.

In light of these implications, let’s discuss if – and how – ChatGPT stores its users’ input data, as well as potential risks you may face when sharing sensitive business data with ChatGPT.

Does ChatGPT store users’ input data?

The answer is complicated. While ChatGPT does not automatically add data from queries to models specifically to make this data available for others to query, any prompt does become visible to OpenAI, the organization behind the large language model.

Although no membership inference attacks have yet been carried out against the large language learning models that drive ChatGPT, databases containing saved prompts as well as embedded learnings could be potentially compromised by a cybersecurity breach. OpenAI, the parent company that developed ChatGPT, is working with other companies to limit the general access that language learning models have to personal data and sensitive information.

But the technology is still in its nascent developing stages – ChatGPT was only just released to the public in November of last year. By just two months into its public release, ChatGPT had been accessed by over 100 million users, making it the fastest-growing consumer app ever at record-breaking speeds. With such rapid growth and expansion, regulations have been slow to keep up. The user base is so broad that there are abundant security gaps and vulnerabilities throughout the model.

Risks of sharing business data with ChatGPT

In June 2021, researchers from Apple, Stanford University, Google, Harvard University, and others published a paper that revealed that GPT-2, a language learning model similar to ChatGPT, could accurately recall sensitive information from training documents.

The report found that GPT-2 could call up information with specific personal identifiers, recreate exact sequences of text, and provide other sensitive information when prompted. These “training data extraction attacks” could present a growing threat to the security of researchers working on machine learning models, as hackers may be able to access machine learning researcher data and steal their protected intellectual property.

One data security company called Cyberhaven has released reports of ChatGPT cybersecurity vulnerabilities it has recently prevented. According to the reports, Cyberhaven has identified and prevented insecure requests to input data on ChatGPT’s platform from about 67,000 employees at the security firm’s client companies.

Statistics from the security platform cite that the average company is releasing sensitive data to ChatGPT hundreds of times per week. These requests have presented serious cybersecurity concerns, with employees attempting to input data that includes client or patient information, source codes, confidential data, and regulated information.

For example, medical clinics use private patient communication software to help protect patient data all the time. According to the team at Weave, this is important to ensure that medical clinics can gain actionable data and analytics so they can make the best decisions while ensuring that their patients’ sensitive information remains secure. But using ChatGPT can pose a threat to the security of this kind of information.

In one troubling example, a doctor typed their patient’s name and specific details about their medical condition into ChatGPT, prompting the LLM to compose a letter to that patient’s insurance company. In another worrying example, a business executive copied the entire 2023 strategy document of their firm into ChatGPT’s platform, causing the LLM to craft a PowerPoint presentation from the strategy document.

Data exposure

There are preventive measures you can take to protect your data in advance and some companies have already begun to impose regulatory measures to prevent data leaks from ChatGPT usage.

JP Morgan, for example, recently restricted ChatGPT usage for all of its employees, citing that it was impossible to determine who was accessing the tool, for what purposes, and how often. Restricting access to ChatGPT altogether is one blanket solution, but as the software continues to develop, companies will likely need to find other strategies that incorporate the new technology.

Boosting company-wide awareness about the possible risks and dangers, instead, can help make employees more sensitive about their interactions with ChatGPT.  For example, Amazon employees have been publicly warned to be careful about what information they share with ChatGPT.

Employees have been warned not to copy and paste documents directly into ChatGPT and instructed to remove any personally identifiable information, such as names, addresses, credit card details, and specific positions at the company.

But limiting the information you and your colleagues share with ChatGPT is just the first step. The next step is to invest in secure communication software that provides robust security, ensuring that you have more control over where and how your data is shared. For example, building in-app chat with a secure chat messaging API ensures that your data stays away from prying eyes. By adding chat to your app, you ensure that users get context-rich, seamless, and most importantly secure chat experiences.  

ChatGPT serves other functions for users. As well as composing natural, human-sounding language responses, it can also create code, answer questions, speed up research processes, and deliver specific information relevant to businesses.

Again, choosing a more secure and targeted software or platform to achieve the same aims is a good way for business owners to prevent cybersecurity breaches. Instead of using ChatGPT to look up current social media metrics, a brand can instead rely on an established social media monitoring tool to keep track of reach, conversion and engagement rates, and audience data.

Conclusion

ChatGPT and other similar natural language learning models provide companies with a quick and easy resource for productivity, writing, and other tasks. Since no training is needed to adopt this new AI technology, any employee can access ChatGPT. This means the possible risk of a cybersecurity breach becomes expanded.

Widespread education and public awareness campaigns within companies will be key to preventing damaging data leaks. In the meantime, businesses may want to adopt alternative apps and software for daily tasks such as interacting with clients and patients, drafting memos and emails, composing presentations, and responding to security incidents.

Since ChatGPT is still a new, developing platform it will take some time before the risks are effectively mitigated by developers. Taking preventive action is the best way to ensure your business is protected from potential data breaches.

The post Sharing your business’s data with ChatGPT: How risky is it? appeared first on Cybersecurity Insiders.

This blog was jointly written with Alejandro Prada and Ofer Caspi.

Executive summary

SeroXen is a new Remote Access Trojan (RAT) that showed up in late 2022 and is becoming more popular in 2023. Advertised as a legitimate tool that gives access to your computers undetected, it is being sold for only $30 for a monthly license or $60 for a lifetime bundle, making it accessible.

Key takeaways:

• SeroXen is a fileless RAT, performing well at evading detections on static and dynamic analysis.
• The malware combines several open-source projects to improve its capabilities. It is a combination of Quasar RAT, r77-rootkit and the command line NirCmd.
• Hundreds of samples have shown up since its creation, being most popular in the gaming community. It is only a matter of time before it is used to target companies instead of individual users.

Analysis

Quasar RAT is a legitimate open-source remote administration tool. It is offered on github page to provide user support or employee monitoring. It has been historically associated with malicious activity performed by threat actors, APT groups (like in this Mandiant report from 2017), or government attacks (in this report by Unit42 in 2017).

It was first released in July 2014 as “xRAT” and renamed to “Quasar” in August 2015. Since then, there have been released updates to the code until v1.4.1 in March 2023, which is the most current version. As an open-source RAT tool with updates 9 years after its creation, it is no surprise that it continues to be a common tool used by itself or combined with other payloads by threat actors up to this day.

In a review of the most recent samples, a new Quasar variant was observed by Alien Labs in the wild: SeroXen. This new RAT is a modified branch of the open-source version, adding some modifications features to the original RAT. They’re selling it for monthly or lifetime fee. Figure 1 contains some of the features advertised on their website.

Figure 1. SeroXen features announced on its website.

This new RAT first showed up on a Twitter account, established in September 2022. The person advertising the RAT appeared to be an English-speaking teenager. The same Twitter handle published a review of the RAT on YouTube. The video approached the review from an attacking/Red Team point of view, encouraging people to buy the tool because it is worth the money. They were claiming to be a reseller of the tool.

In December 2022, a specific domain was registered to market/sell the tool, seroxen[.]com. The RAT was distributed via a monthly license for $30 USD or a lifetime license of $60 USD. It was around that time that the malware was first observed in the wild, appearing with 0 detections on VirusTotal.

After a few months, on the 1st of February, the YouTuber CyberSec Zaado published a video alerting the community about the capabilities of the RAT from a defensive perspective. In late February, the RAT was advertised on social media platforms such as TikTok, Twitter, YouTube, and several cracking forums, including hackforums. There were some conversations on gaming forums complaining about being infected by malware after downloading some video games. The artifacts described by the users matched with SeroXen RAT.

The threat actor updated the domain name to seroxen[.]net by the end of March. This domain name was registered on March 27th, 2023, after seroxen[.]com was decommissioned. The threat actor used GoDaddy for registration and Cloudflare for hosting the website. These domains are only used for selling and marketing purposes, and not for Command and Control (C&C) communications.

Figure 2: SeroXen website

Based on the packed versions uploaded to VT, it appears that the RAT is being used for targeting video game users. Several lure injector cheat files have been observed with names invoking popular videogames such as Fortnite, Valorant, Roblox or Warzone2. The threat actor used Discord for the distribution of some of the samples.

Figure 3. SeroXen timeline.

One of the most relevant announced features is that it is a fully undetectable version. This is currently true from a static analysis point of view, since the RAT is packaged into an obfuscated PowerShell batch file. The file’s size typically ranges between 12-14 megabytes, as we can see in sample 8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87 uploaded to VT on May 21. Due to its relatively large size, certain antivirus may choose not to analyze it, potentially bypassing detection. This sample currently has 0 detections on VT, but some of the crowdsourced Sigma Rules do detect the activity as suspicious.

As the malware is fileless and executed only in memory after going through several decryptions and decompression routines, it is more difficult to detect by antiviruses. In addition, its rootkit loads a fresh copy of ntdll.dll, which makes it harder to detect by Endpoint Detection & Response (EDR) solutions that hook into it to detect process injections.

Regarding the dynamic analysis, it is worth noting that some sandbox environments might fail to detect the RAT due to its utilization of several techniques to evade virtualization and sandbox detection mechanisms and string encryption subsequent payloads.

The RAT employs anti-debugging techniques by leveraging Windows Management Instrumentation (WMI) to identify the system’s manufacturer. This enables it to identify virtualization environments such as VMware and abort the execution to delay and make the analysis harder. The RAT also checks for the presence of debuggers and uses pings make the threads sleep.

Currently, most child processes and files dropped during the execution of the RAT have a low detection rate.

Execution analysis

When the malicious payload is delivered to the victim, commonly through a phishing mail or a Discord channel – the victim often receives a ZIP file containing a benign file in plain sight, and the heavily obfuscated batch file is hidden and automatically executed when launched. The bat file format is always very similar and looks like the contents of Figure 4, followed by base64 encoded text later in the file.

Figure 4. Obfuscated bat script.

During the bat execution, the script extracts two separate binaries from the base64 encoded text, AES decrypts, and GZIP decompresses it to produce two separate byte arrays. These byte arrays are then used with .NET reflection to perform an in-memory load of the assembly from its bytes, locate the binary’s entry point, and perform an Invoke on both.

Throughout the decryption process, the attackers had the need to create a legitimate looking folder to drop an illicit version of the System Configuration Utility msconfig.exe that is required later. For this purpose, the script creates the folder “C:Windows System32”, with a space after Windows and deletes it as soon as the utility is running. If it wasn’t for this file temporarily dropped into disk, the RAT would be fully fileless.

The execution of one of the above-mentioned binaries leads to another obfuscated binary carrying an embedded resource. This resource is hidden behind anti-sandboxing and debugger techniques, only to lead to more obfuscation and encryption techniques that lead to the final payload. This payload has been built using the Github project Costura, which allows SeroXen to pack the code’s dependencies into the .NET assembly so it can run self-contained.

Figure 5. Payload embedded resources.

The extraction of the resources leads to the final payloads. This is in the form of two .NET assemblies: CSStub2.InstallStager.exe, and CSStub2.UninstallStager.exe. And a Win32 binary called CSStub2.$sxr-nircmd.exe, which corresponds to the unmodified command-line utility NirCmd.

The payload InstallStager.exe is a compilation of the open-source rootkit named r77-rootkit – a fileless ring 3 rootkit written in .NET. This rootkit supports both x32 and x64 Windows processes and has the following features:

• Fileless persistence: The rootkit is stored as obfuscated data in the registry and is spawned with PowerShell via Task Scheduler to be injected into the winlogon.exe process.
• Child process hooking.
• Option to embed additional malware to be executed with the rootkit – in this case NirCmd and/or Quasar. The added malware will be decompressed and decrypted before it is injected into other processes.
• In memory process injection: the rootkit injects itself and additional malware(s) into all processes. Injection is done from memory: no files are needed to be stored on disk.
• Hooking: Hooks several functions from ntdll.dll to hide its presence.
• Communicating via NamedPipe: The rootkit can receive a command from any running process.
• Antivirus / EDR evasion: The rootkit uses several evasion techniques:
  • AMSI bypass: PowerShell inline script patches “amsi.dll!AmsiScanBuffer” to always return “AMSI_RESULT_CLEAN”.
  • DLL unhooking: Removes EDR hooks by loading a fresh copy of “ntdll.dll” from disk to avoid process hollowing detection
• Hiding entities: Hiding all entities starts with a configurable prefix, which in SeroXen’s case its “$sxr”. This prefix hardens the visualization of the attack on the system, but eases attribution of the malware family during the analysis. The prefix is used to hide files, directories, NamedPipes, scheduled tasks, processes, registry keys/values, and services.

R77 technical documentation provides a guideline of where can the prefix be found:

Config parameter	Details	Example
HIDE_PREFIX	The prefix for name-based hiding (e.g. processes, files, etc…).	L”$sxr”
R77_SERVICE_NAME32	Name for the scheduled task that starts the r77 service for 32-bit processes.	HIDE_PREFIX L”svc32″
R77_SERVICE_NAME64	Name for the scheduled task that starts the r77 service for 64-bit processes.	HIDE_PREFIX L”svc64″
CHILD_PROCESS_PIPE_NAME32	Name for the named pipe that notifies the 32-bit r77 service about new child processes.	L”.pipe” HIDE_PREFIX L”childproc32″
CHILD_PROCESS_PIPE_NAME64	Name for the named pipe that notifies the 64-bit r77 service about new child processes.	L”.pipe” HIDE_PREFIX L”childproc64″
CONTROL_PIPE_NAME	Name for the named pipe that receives commands from external processes.	L”.pipe” HIDE_PREFIX L”control”

 

The two main components in this project are the InstallStager service and the Rootkit. The InstallStager service is responsible for:

• Creating a registry key to store the malware code and writes it as encrypted data.
• Creating a scheduled task to execute the malware using PowerShell. PowerShell will decompress and decrypt the final payload (Service) that will be injected into the winlogon.exe process and executed via dllhost.exe using process hollowing techniques.

Figure 6. Starting payload after decryption using process hollowing.

Now the second and main stage of the Rootkit is ready to start. The service kicks off the load of the rootkit’s DLL that is embedded as a resource and saves its configuration as a registry key. (In SeroXen case it’s [HKEY_LOCAL_MACHINESOFTWARE$sxrconfig]).

The service creates 3 listener threads:

• NewProcessListener: Enumerates all running processes and injects the rootkit when new processes are created.
• ChildProcessListener: Injects the rootkit to a newly created process by another process and updates the callee via NamedPipe.

Figure 7. Child process injection.

• ControlPipeListener: Creates a NamedPipe to receive commands from any process. Supported commands are listed below:

Command	Details
CONTROL_R77_UNINSTALL	The control code that uninstalls r77.
CONTROL_R77_PAUSE_INJECTION	The control code that temporarily pauses injection of new processes.
CONTROL_R77_RESUME_INJECTION	The control code that resumes injection of new processes.
CONTROL_PROCESSES_INJECT	The control code that injects r77 into a specific process, if it is not yet injected.
CONTROL_PROCESSES_INJECT_ALL	The control code that injects r77 into all processes that are not yet injected.
CONTROL_PROCESSES_DETACH	The control code detaches r77 from a specific process.
CONTROL_PROCESSES_DETACH_ALL	The control code detaches r77 from all processes.
CONTROL_USER_SHELLEXEC	The control code that executes a file using ShellExecute.
CONTROL_USER_RUNPE	The control code that executes an executable using process hollowing.
CONTROL_SYSTEM_BSOD	The control code that triggers a BSOD.
CONTROL_R77_TERMINATE_SERVICE	The control code that terminates the r77 service.

 

The DLL rootkit carries out process injections, executes commands received by other processes, and keeps out of sight any sign of SeroXen being executed within the system.

Figure 8. System function hooking.

As a summary of the execution process:

Figure 9. SeroXen decryption flow.

Since Seroxen is based on QuasarRAT, the C&C server utilizes the same Common Name in their TLS certificate. The functionalities offered by the threat actor for the C&C server closely mirror those found in the Quasar Github repository, including support for TCP network streams (both IPv4 and IPv6), efficient network serialization, compression using QuickLZ, and secure communication through TLS encryption.

Figure 10. Quasar Server Certificate.

 

Conclusion

The SeroXen developer has found a formidable combination of free resources to develop a hard to detect in static and dynamic analysis RAT. The use of an elaborated open-source RAT like Quasar, with almost a decade since its first appearance, makes an advantageous foundation for the RAT. While the combination of NirCMD and r77-rootkit are logical additions to the mix, since they make the tool more elusive and harder to detect.

The Alien Labs team will continue to monitor the threat landscape for SeroXen samples and infrastructure.

Detection methods

The following associated detection methods are in use by Alien Labs. They can be used by readers to tune or deploy detections in their own environments or for aiding additional research.

SURICATA IDS SIGNATURES

2035595: ET TROJAN Generic AsyncRAT Style SSL Cert

2027619: ET TROJAN Observed Malicious SSL Cert (Quasar CnC)

 

Associated indicators (IOCs)

The following technical indicators are associated with the reported intelligence. A list of indicators is also available in the OTX Pulse. Please note, the pulse may include other activities related but out of the scope of the report.

 

TYPE	INDICATOR	DESCRIPTION
SHA256	8ace121fae472cc7ce896c91a3f1743d5ccc8a389bc3152578c4782171c69e87	Example malware hash

Mapped to MITRE ATT&CK

The findings of this report are mapped to the following MITRE ATT&CK Matrix techniques:

• TA0002 : Execution 
• T1053: Scheduled Task/Job 
• T1053.005: Scheduled Task 
• T1059: Command and Scripting Interpreter 
• T1059.003: Windows Command Shell 
• TA0003: Persistence 
• T1547: Boot or Logon Autostart Execution 
• T1547.001 Registry Run Keys / Startup Folder 
• TA0004: Privilege Escalation 
• T1548: Abuse Elevation Control Mechanism 
• T1548.002: Bypass User Account Control 
• TA0005: Defense Evasion 
• T1112: Modify Registry 
• T1553: Subvert Trust Controls 
• T1553.002: Code Signing 
• T1564: Hide Artifacts 
• T1564.001: Hidden Files and Directories 
• T1564.003: Hidden Window 
• TA0006: Credential Access 
• T1552: Unsecured Credentials 
• T1552.001: Credentials In Files 
• T1555: Credentials from Password Stores 
• T1555.003: Credentials from Web Browsers 
• TA0007: Discovery 
• T1016: System Network Configuration Discovery 
• T1033: System Owner/User Discovery 
• T1082: System Information Discovery 
• T1614: System Location Discovery 
• TA0008: Lateral Movement 
• T1021: Remote Services 
• T1021.001: Remote Desktop Protocol 
• TA009: Collection 
• T1005: Data from Local System 
• T1056: Input Capture 
• T1056.001: Keylogging 
• T1125: Video Capture 
• TA0011: Command and Control 
• T1090: Proxy 
• T1095: Non-Application Layer Protocol  
• T1105: Ingress Tool Transfer 
• T1571: Non-Standard Port 
• T1573: Encrypted Channel: 
• T1573.001: Symmetric Cryptography 

References:

• Seroxen webpage
• Seroxen features
• Quasar RAT
• NirCmd – Windows command line tool (nirsoft.net)
• R77-rootkit

The post SeroXen RAT for sale appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Numerous risks are inherent in the technologies that all organizations use. These risks have especially become apparent with recent ransomware attacks, which have crippled major infrastructure such as the Colonial Pipeline in the Eastern United States¹. This discussion will focus on how GRC, or governance, risk, and compliance can help organizations face and manage the risks that they face.

As GRC is broken down into three components, a discussion of each will illuminate why each is critical for risk management. The first part of GRC is governance. Governance involves ensuring that the IT organization is managed in a way that is consistent with the overall business goals.². The overall business goals are the strategy that an organization puts in place to ensure that they enjoy a competitive advantage. It is necessary to ensure that proper controls are in place that manages risks, and that starts at the governance level, with high-level business strategies³.

From an IT perspective, risk involves IT management ensuring that any organizational activities that they conduct are consistent with the organizational business goals as just stated. This means that the IT departments’ risk management process should be a part of the corporate risk management functionality. When IT departments limit their activities to economic and technical aspects, they fail to be engaged in the organization’s strategy, which fails to fully leverage the strength and potential of the company⁴.

The IT department’s risk strategies, when aligned with the corporate risk management policies, work in concert to make certain that the risks identified by upper management are reflected in risk management and prevention that occurs within the IT department. One way that organizations using GRC ensure that IT remains aligned with the corporate leadership’s risk management policies and objectives is by setting specific measurable objectives that demonstrate the effectiveness of how GRC is applied in the IT context.

The final area of GRC is compliance. While often considered adherence to laws and regulations, compliance can have a true impact on risk as well. As the complexity of compliance with myriads of regulatory requirements increases, the IT department is often involved with aiding the company to meet compliance demands. The complexity of compliance demands (that come with significant penalties for failures) can often only be accomplished with the support of IT, as the IT department establishes systems and processes which can help the organization to remain in compliance. If surveillance systems are not set up and used properly and the organization is found to be out of compliance, this could cause an enormous risk of financial penalties which could be crippling for the organization⁵.

As this brief discussion has outlined, using GRC to manage IT departments is essential for multiple reasons. Firstly, it ensures that the IT department is aligned with the rest of the organization and its’ strategies. Second, IT organizations run using GRC ensure that their risk management activities are aligned with the corporate risk management activities so that risks identified by the leadership are addressed in IT. Finally, using GRC ensures that the IT department does its part to ensure the organization stays in compliance with regulatory demands. This will protect against the risk of costly penalties for compliance failures.

References

1. Ransomware attack forces shutdown of largest fuel pipeline in the U.S. (https://www.cnbc.com/2021/05/08/colonial-pipeline-shuts-pipeline-operations-after-cyberattack.html)
2. What is GRC and why do you need it? (https://www.cio.com/article/230326/what-is-grc-and-why-do-you-need-it.html)
3. Corporate Governance and Risk Management: Lessons (Not) Learnt from the Financial Crisis (https://www.mdpi.com/1911-8074/14/9/419)
4. The impact of enterprise risk management on competitive advantage by moderating role of information technology (https://www.sciencedirect.com/science/article/abs/pii/S0920548918301454)
5. Dialectic Tensions in the Financial Markets: A Longitudinal Study of pre- and Post-Crisis Regulatory Technology (https://journals.sagepub.com/doi/10.1057/s41265-017-0047-5)

The post Managing technology risk appeared first on Cybersecurity Insiders.

Introduction

Today you look at the Global/Multi-site Enterprise Security Architecture of an organization and see a myriad of concerns. Increased levels of complexity, difficulties managing multiple third parties, difficulties implementing consistent levels of security, and so on. This makes it imperative for organizations to identify opportunities to simplify, streamline, and generally improve their infrastructure wherever possible.

Managing the level of complexity is becoming increasingly difficult. Security may be partially implemented, which is an ongoing challenging issue.

Terminology

• AWS Region – a physical location around the world where we cluster data centers.
• AWS Availability Zone (AZ) – is one or more discrete data centers with redundant power, networking, and connectivity in an AWS Region.
• AWS Services – AWS offers a broad set of global cloud-based products, including computing, storage, database, analytics, networking, machine learning and AI, mobile, developer tools, IoT, security, enterprise applications, and more.
• AWS Transit Gateway (TGW) – A transit gateway is a network transit hub that you can use to interconnect your virtual private clouds (VPCs) and on-premises networks. As your cloud infrastructure expands globally, inter-Region peering connects transit gateways together using the AWS Global Infrastructure.

Global/Multi-Site Enterprise Architecture

Many organizations are using Global/Multi-site with dated technology spread throughout data centers and networks mixed in with some newer technologies. This can include uncounted third parties as well. These sites often include multiple environments (like Dev, QA, Pre-Prod, and Prod) supported by numerous technologies spread across both physical and virtual servers, including databases, web, and application servers, and more.

Modifications can be challenging when integrating legacy with new technologies. Sometimes can require a static approach when completely redesigning existing infrastructure. Understandably, most organizations tend to shy away from exploring anything that seems like a significant upgrade or change. Thankfully there are some solutions available that can substantially improve operations and infrastructure without the typical complexities and implementation challenges.

One such example is outlined below.

Example AWS Transit Gateway (TGW) Global Diagram

AWS Transit Gateway diagram

AWS Transit Gateway is a cloud-based tool that permits a simplified, secure networking approach for companies requiring a hybrid solution that can scale according to their global/multi-site enterprise business needs. The AWS Transit Gateway integrates with Palo Alto Security Devices, which helps to reduce the organization’s risk footprint.

AWS Transit Gateway architecture is used to consolidate site-to-site VPN connections from your on-premises network to your AWS environment and support connectivity between your team development and workload hosting VPCs and your infrastructure shared services VPC. This information will help you make a more informed decision as you consider the recommended approach of using AWS Transit Gateway.

AWS Transit Gateway connects your Amazon Virtual Private Clouds (VPCs) and on-premises networks through a central hub. This simplifies your network and puts an end to complex peering relationships. It acts as a cloud router – each new connection is only made once.

As you expand globally, inter-region peering connects AWS Transit Gateways together using the AWS global network. Your data is secured automatically and encrypted; it never travels over the public internet, only on the AWS Global Network. Because of its central position, AWS Transit Gateway Network Manager has a unique view over your entire network, even connecting to Software-Defined Wide Area Network (SD-WAN) devices.

General tips

Data transfer charges apply based on the source, destination, and amount of traffic. Here are some general tips for when you start planning your architecture:

• Avoid routing traffic over the internet when connecting to AWS services from within AWS by using VPC endpoints:
• VPC gateway endpoints allow communication to Amazon S3 and Amazon DynamoDB without incurring data transfer charges within the same Region.
• VPC interface endpoints are available for some AWS services. This type of endpoint incurs hourly service charges and data transfer charges.
• Use Direct Connect instead of the Internet for sending data to on-premises networks.
• Traffic that crosses an Availability Zone boundary typically incurs a data transfer charge. Use resources from the local Availability Zone whenever possible.
• Traffic that crosses a regional boundary will typically incur a data transfer charge. Avoid cross-Region data transfer unless your business case requires it.
• Use the AWS Free Tier. Under certain circumstances, you may be able to test your workload free of charge.
• Use the AWS Pricing Calculator to help estimate the data transfer costs for your solution.

Use a dashboard to visualize better data transfer charges – this workshop will show how.

Cybersecurity

A Cybersecurity approach includes how to address a global enterprise architecture.

A collaborative approach permits meetings to review the global enterprise architecture/workflow.

Hold an introductory overview session to gather the preliminary information for each of the sections listed above and in relation to a phased/planned approach for introducing the AWS Transit Gateway. The phases can include compliance with standards such as NIST.

This extensive security approach would cover all the items listed in the prior sections and the required daily business workflows from end to end.

Global/multi-site security certificates, data at rest, data in transit, networks, firewalls/security devices, circuits, and communications. Topics include Strategies, Securing the Edge, Risk-based Cyber assessment, MTDR (Managed Threat Detection and Response), and Endpoint/Network Security

In the future, we will review other Cybersecurity offerings with AWS Services and the reasons why a company would want to invest in AWS Transit Gateway.

Conclusion

AWS provides the ability to deploy across multiple Availability Zones and Regions. This allows organizations to reduce the complexity of their architecture, improve overall performance, and increase dynamic scalability. By streamlining networks and removing unnecessary middlemen, organizations can also improve overall security by reducing risks associated with having multiple vendors while also increasing operational oversight across their infrastructure.

This blog post provided information to help you make an informed decision and explore different architectural patterns to save on data transfer costs. AT&T Cybersecurity offers services to assist you in your journey. You can review the references listed below to gain additional perspective.

References & Resources

• • AWS Transit Gateway
  • AWS Overview of Data Transfer Costs for Common Architectures
  • AWS Solutions Library
  • Cisco CSR1000V-Transit VPC with Transit Gateway
  • AWS Pricing Calculator
  • Cost and Usage Analysis Well-Architected Lab
  • Data Transfer Cost Analysis Well-Architected Lab
  • AWS Cost Optimization
• Clearscale Blog

The post Introduction to the purpose of AWS Transit Gateway appeared first on Cybersecurity Insiders.

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

In an era where digital technology increasingly underpins food production and distribution, the urgency of cybersecurity in agriculture has heightened. A surge of cyberattacks in recent years, disrupting operations, causing economic losses, and threatening food industry security- all underscore this escalating concern.

In April 2023, hackers targeted irrigation systems and wastewater treatment plants in Israel. The attack was part of an annual “hacktivist” campaign, and it temporarily disabled automated irrigation systems on about a dozen farms in the Jordan Valley. The attack also disrupted wastewater treatment processes at the Galil Sewage Corporation.

In addition, in June 2022, six grain cooperatives in the US were hit by a ransomware attack during the fall harvest, disrupting their seed and fertilizer supplies. Adding to this growing list, a leading US agriculture firm also fell victim to a cyberattack the same year, which affected operations at several of its production facilities.

These incidents highlight the pressing need for improved cybersecurity in the agricultural sector and underscore the challenges and risks this sector faces compared to others.

As outlined in a study, “Various technologies are integrated into one product to perform specific agricultural tasks.” An example provided is that of an irrigation system which “has smart sensors/actuators, communication protocols, software, traditional networking devices, and human interaction.”

The study further elaborates that these complex systems are often outsourced from diverse vendors for many kinds of environments and applications. This complexity “increases the attack surface, and cyber-criminals can exploit vulnerabilities to compromise one or other parts of the agricultural application.”

However, the situation is far from hopeless. By taking decisive action, we can significantly strengthen cybersecurity in the agricultural sector. Here are three strategies that pave the way toward a more secure future for the farming industry:

1. Strengthening password practices

Weak or default passwords are an easily avoidable security risk that can expose vital assets in the agricultural sector to cyber threats. Arguably, even now, people have poor habits when it comes to password security.

As per the findings of a survey conducted by GoodFirms:

• A significant percentage of people – 62.9%, to be exact – update their passwords only when prompted.
• 45.7% of people admitted to using the same password across multiple platforms or applications.
• More than half of the people had shared their passwords with others, such as colleagues, friends, or family members, raising the risk of unauthorized access.
• A surprising 35.7% of respondents reported keeping a physical record of their passwords on paper, sticky notes, or in planners.

These lax password practices have had tangible negative impacts, with 30% of users experiencing security breaches attributable to weak passwords.

Hackers can use various methods, such as brute force attacks or phishing attacks, to guess or obtain weak passwords and access sensitive information or control critical systems.

Therefore, agricultural organizations need to make passwords stronger. Here are some of the critical steps these organizations need to take:

• Encourage using strong, unique passwords (8+ characters, mixed letters, numbers, symbols).
• Implement regular password changes (every three months or upon a suspected breach).
• Enforce multi-factor authentication on all systems.
• Update network passwords regularly to invalidate stolen credentials.
• Use a password keeper/generator app for secure password storage.
• Discourage password sharing or reuse across platforms.
• Avoid using dictionary words, common phrases, or personal info in passwords.
• Deploy a password management tool for efficient password handling.

2. Maintaining updated systems

In the digitally transformed landscape of agriculture, known vulnerabilities linked to outdated software and hardware present significant cybersecurity risks. Cybercriminals often exploit these weaknesses in such systems, compounding the cybersecurity challenges faced by the industry.

The Ponemon Institute, in a comprehensive study, found that 60% of organizations that experienced a breach said it occurred due to a known vulnerability that was left unpatched, even though a patch was available. Further complicating matters, the study reported that 88% of IT teams had to coordinate with other departments when patching vulnerabilities. This coordination added an extra 12 days before a patch could be applied, leaving systems vulnerable for a more extended period.

As we’ve seen from the damaging agricultural infrastructure attacks, neglecting cybersecurity in the context of known vulnerabilities can lead to significant problems. Regular updates and patches are not just good practice—they’re a crucial first line of defense against cyberattacks. In the digitally transforming world of agriculture, this is not merely an option—it’s a necessity.

3. Securing operational technology traffic

Given the scale of the risks associated with known vulnerabilities, it’s clear that agribusinesses face a significant cybersecurity challenge. However, the threats are not confined to these known issues alone. The unknown vulnerabilities, particularly those associated with Operational Technology (OT) systems, present another layer of risk that has recently come into focus.

The growing prevalence of Internet of Things (IoT) devices in contemporary agriculture amplifies these concerns. If not adequately secured, these devices can expand the attack surface, offering potential attackers an open door to critical systems.

Highlighting the severity of such issues, Itay Glick, VP of Products at OPSWAT, brings up the cyberattack on irrigation systems in Israel. He pointed out that weak passwords and outdated OT devices were a significant part of the problem. He noted that “there was a critical vulnerability in a specific device dated back to 2015 (CVE-2015-7905), which could have been exploited by any average hacker.”

The vulnerability Glick referred to underscores the importance of regularly updating OT devices. “If this was the case, this underscores the importance of scanning and validating that OT devices are updated,” he emphasized.

This dual approach – segregating OT traffic and monitoring it – provides a solid defense strategy. Segregation makes it more challenging for attackers to access critical systems, while monitoring allows for early detection of any potential threats. Agribusinesses must heed this advice, as the digital landscape continues to evolve, and the stakes continue to rise.

Conclusion

Cyber threats pose grave risks, with the potential to disrupt operations and cause hefty financial losses. Plus, the enduring harm to brand image and customer trust post-attack can be tough to bounce back from. A thorough assessment of current cybersecurity protocols, identification of potential vulnerabilities, and application of the discussed solutions should be on top of the list. These steps encompass the use of robust and unique passwords, segregation and monitoring of OT traffic, and consistent updating of software and hardware.

In the final analysis, agribusinesses that can integrate these cybersecurity measures into their operations are better positioned to secure their future in the rapidly evolving agricultural landscape.

The post Three ways agribusinesses can protect vital assets from cyberattacks appeared first on Cybersecurity Insiders.